Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

Logo for Cisco Identity Intelligence
Cisco Identity Intelligence: Threat Hunt Failed Check - Webhook
Community
This workflow will be triggered by the configured CII failed checks, parse it and will do a threat hunt for it.
Learn more
Logo for Orbital
Cisco Orbital - Incident Response - Force User Logout
Community
This incident response workflow consumes one or more users (user or process_username) and attempts to force a logout from endpoints running windows, mac or linux.
Incident Response
Learn more
Logo for Secure Malware Analytics
Cisco Secure Malware Analytics - XDR incident and notification
Community
This scheduled workflow executes a search query in Cisco Secure Malware Analytics for new private samples submitted and convinced as malicious.
Learn more
C
Cisco XDR - Add Observable to Intelligence Feed
Cisco Managed
This workflow appears in the pivot menu and allows you to add an observable to a threat intelligence feed in Cisco XDR.
Pivot Menu
Learn more
Logo for ExtraHop Reveal(x) 360
ExtraHop Reveal(x) 360 - Remove Device from Watchlist
Cisco Managed
This workflow appears in the pivot menu and allows a user to remove a device from the ExtraHop watchlist.
Pivot Menu
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Automation Rule - Update Incident Properties
Cisco Managed
This workflow allows you to update an incident's properties.
Learn more
XDR - Close and Export Incident
Cisco Managed
This workflow is designed to be executed when an incident is resolved and ready to be closed.
Learn more
XDR - Contain Incident: Domains
Cisco Managed
This workflow consumes one or more domains and attempts to block them in all supported products.
Learn more
XDR - Contain Incident: File Hashes
Cisco Managed
This workflow consumes one or more SHA-256 file hashes and attempts to block them in all supported products.
Learn more
XDR - Restore Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to restore matching users in all supported products.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.